it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034
- Date: Wed, 23 Aug 2023 18:21:27 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 267A74149E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A2DDE414B5
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 32C8C60B05
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5037660A5F
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-034
Project: ACL [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0
Description:
The ACL module, short for Access Control Lists, is an API for other modules
to create lists of users and give them access to nodes.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
As this is an API module, it is only exploitable if a "client" module exposes
the vulnerability. Details of some contributed client modules are given
below. Custom modules using ACL could also expose the vulnerability.
This vulnerability is mitigated by the fact that an attacker typically needs
an "admin"-type permission provided by one of ACL's client modules.
Known client modules include:
* Forum Access
* Flexi Access
* Content Access
Coordinated Security Advisories are being released for those client modules
that have Security coverage.
Solution:
Install the latest version:
* If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4 [3]
* If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0
[4]
Any client modules that depend on ACL should also be updated.
Reported By:
* Drew Webber [5] of the Drupal Security Team
* Samuel Mortenson [6]
Fixed By:
* Drew Webber [7] of the Drupal Security Team
* Hans Salvisberg [8]
* Jen Lampton [9] Provisional Member of the Drupal Security Team
* xeM8VfDh [10]
Coordinated By:
* Drew Webber [11] of the Drupal Security Team
* Damien McKenna [12] of the Drupal Security Team
* Greg Knaddison [13] of the Drupal Security Team
* Michael Hess [14] of the Drupal Security Team
[1] https://www.drupal.org/project/acl
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acl/releases/7.x-1.4
[4] https://www.drupal.org/project/acl/releases/8.x-1.0
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/user/85586
[10] https://www.drupal.org/user/3446669
[11] https://www.drupal.org/user/255969
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/user/36762
[14] https://www.drupal.org/user/102818
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034, security-news, 23.08.2023
Archiv bereitgestellt durch MHonArc 2.6.24.